Carbon Black App Control (formerly Cb Protection)Carbon Black Cloud Endpoint Standard (formerly Cb Defense)Carbon Black Cloud Enterprise EDR (formerly Cb Threathunter)Carbon Black EDR (formerly Cb Response)
Issue/Introduction
What are PSScriptPolicyTest powershell files used for within Windows?
Environment
Microsoft Windows: All Versions
Microsoft Powershell: All Supported Versions
Resolution
These files are randomly generated by Microsoft and execution is attempted to determine which Language Mode PowerShell will run in when using AppLocker.
Allowing them to execute enables Full Language Mode in PowerShell.
Blocking them from execution enables Constrained Language Mode in PowerShell.
Additional Information
Constrained Language Mode helps to reduce the attack surface of PowerShell.
Full Language Mode grants access to any language element and therefore to any Windows API.
If using App Control, it is highly recommended to create a Custom Rule and ABExclusion to prevent the information from being returned to the Server.